MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of https://github.com/MISP/misp-galaxy into newMitre

pull/343/head
mokaddem 2019-02-15 08:51:02 +01:00
parent 46a095012a 36afb81f07
commit e67bc2efde
7 changed files with 379 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -94,12 +94,12 @@ The MISP galaxy (JSON files) are dual-licensed under:
or
~~~~
Copyright (c) 2015-2018 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2015-2018 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2015-2018 Andras Iklody
Copyright (c) 2015-2018 Raphael Vinot
Copyright (c) 2015-2018 Deborah Servili
Copyright (c) 2016-2018 Various contributors to MISP Project
Copyright (c) 2015-2019 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2015-2019 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2015-2019 Andras Iklody
Copyright (c) 2015-2019 Raphael Vinot
Copyright (c) 2015-2019 Deborah Servili
Copyright (c) 2016-2019 Various contributors to MISP Project
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

15
clusters/android.json
View File

@ -4629,7 +4629,20 @@
},
"uuid": "08965226-c8a9-11e8-ad82-b3fe44882268",
"value": "Triout"
},
{
"description": "active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/adware-disguised-as-game-tv-remote-control-apps-infect-9-million-google-play-users/"
],
"synonyms": [
"AndroidOS_HiddenAd"
]
},
"uuid": "64ee0ae8-2e78-43bf-b81b-e7e5c2e30cd0",
"value": "AndroidOS_HidenAd"
}
],
"version": 17
"version": 18
}

12
clusters/backdoor.json
View File

@ -41,7 +41,17 @@
},
"uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786",
"value": "Rosenbridge"
},
{
"description": "The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.\n\n\"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit,\" researchers from Proofpoint explain in an analysis released today.\n\nThe other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
]
},
"uuid": "8b50360c-4d16-4f52-be75-e74c27f533df",
"value": "ServHelper"
}
],
"version": 3
"version": 4
}

179
clusters/ransomware.json
View File

@ -301,10 +301,14 @@
".Kirked"
],
"ransomnotes": [
"https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png",
"!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER",
"!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER"
],
"ransomnotes-filenames": [
"RANSOM_NOTE.txt"
],
"ransomnotes-refs": [
"https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png"
],
"refs": [
"https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/",
@ -3297,7 +3301,8 @@
".[cyberwars@qq.com].war",
".risk",
".RISK",
".bkpx"
".bkpx",
".[newsantaclaus@aol.com].santa"
],
"ransomnotes": [
"README.txt",
@ -3312,7 +3317,8 @@
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.",
"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg",
"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg",
"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg"
"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg",
"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"
],
"refs": [
"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html",
@ -3327,7 +3333,9 @@
"https://twitter.com/demonslay335/status/1059940414147489792",
"https://twitter.com/JakubKroustek/status/1060825783197933568",
"https://twitter.com/JakubKroustek/status/1064061275863425025",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/"
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/",
"https://www.youtube.com/watch?v=qjoYtwLx2TI",
"https://twitter.com/GrujaRS/status/1072139616910757888"
]
},
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
@ -5663,7 +5671,8 @@
".WORK",
".SYSTEM",
".MOLE66",
".BACKUP"
".BACKUP",
"[16 uppercase hex].SYS"
],
"ransomnotes": [
"HELP_YOUR_FILES.html (CryptXXX)",
@ -5679,7 +5688,9 @@
"Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number",
"!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nbackuppc@tuta.io\n\nbackuppc@protonmail.com\n\nbackuppc1@protonmail.com\n\nb4ckuppc1@yandex.com\n\nb4ckuppc2@yandex.com\n\nbackuppc1@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[id] number"
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nbackuppc@tuta.io\n\nbackuppc@protonmail.com\n\nbackuppc1@protonmail.com\n\nb4ckuppc1@yandex.com\n\nb4ckuppc2@yandex.com\n\nbackuppc1@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[id] number",
"https://pbs.twimg.com/media/DuFQ4FdWoAMy7Hg.jpg",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nleab@tuta.io\n\nitprocessor@protonmail.com\n\npcambulance1@protonmail.com\n\nleablossom@yandex.com\n\nblossomlea@yandex.com\n\nleablossom@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[redacted lowercase GUID] number"
],
"refs": [
"http://www.nyxbone.com/malware/CryptoMix.html",
@ -5692,7 +5703,10 @@
"https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/new-backup-cryptomix-ransomware-variant-actively-infecting-users/"
"https://www.bleepingcomputer.com/news/security/new-backup-cryptomix-ransomware-variant-actively-infecting-users/",
"https://twitter.com/demonslay335/status/1072227523755470848",
"https://www.coveware.com/blog/cryptomix-ransomware-exploits-cancer-crowdfunding",
"https://www.bleepingcomputer.com/news/security/cryptomix-ransomware-exploits-sick-children-to-coerce-payments/"
],
"synonyms": [
"Zeta"
@ -10032,7 +10046,9 @@
".CRYPTO",
".lolita",
".stevenseagal@airmail.cc",
".lol"
".lol",
".crypted034",
".ironhead"
],
"ransomnotes": [
"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT",
@ -10047,7 +10063,9 @@
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg",
"_How to restore files.TXT",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg"
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg",
"https://pbs.twimg.com/media/DuC07vPWkAAMekP.jpg",
"How to restore encrypted files.txt"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/",
@ -10060,7 +10078,8 @@
"https://twitter.com/demonslay335/status/1007694117449682945",
"https://twitter.com/demonslay335/status/1049316344183836672",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
"https://twitter.com/Amigo_A_/status/1039105453735784448"
"https://twitter.com/Amigo_A_/status/1039105453735784448",
"https://twitter.com/GrujaRS/status/1072057088019496960"
]
},
"uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4",
@ -10986,7 +11005,8 @@
"Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/"
"https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/",
"https://www.kaspersky.com/blog/keypass-ransomware/23447/"
],
"synonyms": [
"KeyPass"
@ -11567,15 +11587,19 @@
{
"meta": {
"extensions": [
".XY6LR"
".XY6LR",
".gerber5",
".FJ7QvaR9VUmi"
],
"ransomnotes": [
"https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg",
"DECRYPT.txt"
"DECRYPT.txt",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/14/Dt-APfCW0AADWV8[1].jpg"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/",
"https://twitter.com/petrovic082/status/1071003939015925760"
"https://twitter.com/petrovic082/status/1071003939015925760",
"https://twitter.com/Emm_ADC_Soft/status/1071716275590782976"
]
},
"uuid": "3bcc725f-6b89-4350-ad79-f50daa30f74e",
@ -11612,7 +11636,130 @@
},
"uuid": "23fcbbf1-93ee-4baf-9082-67ca26553643",
"value": "JungleSec"
},
{
"description": "GrujaRS discovered the EQ Ransomware that drops a ransom note named README_BACK_FILES.htm and uses .f**k (censored) as its extension for encrypted files. May be GlobeImposter.",
"meta": {
"extensions": [
".fuck"
],
"ransomnotes": [
"README_BACK_FILES.htm",
"https://pbs.twimg.com/media/Dt4xTDjWwAEBjBh.jpg"
],
"refs": [
"https://twitter.com/GrujaRS/status/1071349228172124160",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-14th-2018-slow-week/",
"https://www.youtube.com/watch?v=uHYY6XZZEw4"
]
},
"uuid": "edd4c8d0-d971-40a6-b7c6-5c57a4b51e48",
"value": "EQ Ransomware"
},
{
"description": "extension \".Mercury\", note \"!!!READ_IT!!!.txt\" with 4 different 64-char hex as ID, 3 of which have dashes. Possible filemarker, same in different victim's files.",
"meta": {
"extensions": [
".mercury"
],
"ransomnotes": [
"!!!READ_IT!!!.txt",
"!!! ATTENTION, YOUR FILES WERE ENCRYPTED !!!\n\nPlease follow few steps below:\n\n1.Send us your ID.\n2.We can decrypt 1 file what would you make sure that we have decription tool!\n3.Then you'll get payment instruction and after payment you will get your decryption tool!\n\n\n Do not try to rename files!!! Only we can decrypt all your data!\n\n Contact us:\n\ngetmydata@india.com\nmydataback@aol.com\n\n Your ID:[redacted 64 uppercase hex]:[redacted 64 uppercase hex with dashes]\n[redacted 64 uppercase hex with dashes]:[redacted 64 uppercase hex with dashes]"
],
"refs": [
"https://twitter.com/demonslay335/status/1072164314608480257"
]
},
"uuid": "968cf828-0653-4d86-a01d-186db598f391",
"value": "Mercury Ransomware"
},
{
"meta": {
"extensions": [
".locked"
],
"ransomnotes": [
"ODSZYFRFUJ_PLIKI_TERAZ.txt",
"https://pbs.twimg.com/media/DuIsIoWXQAEGKlr.jpg"
],
"refs": [
"https://twitter.com/GrujaRS/status/1072468548977680385"
]
},
"uuid": "ea390fa7-94ac-4287-8a2d-c211330671b0",
"value": "Forma Ransomware"
},
{
"meta": {
"extensions": [
".djvu"
],
"ransomnotes": [
"_openme.txt",
"---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED ----------------------------------------------- \n\nDon't worry, you can return all your files!\nAll your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nThis software will decrypt all your encrypted files.\nWhat guarantees do we give to you?\nYou can send one of your encrypted file from your PC and we decrypt it for free.\nBut we can decrypt only 1 file for free. File must not contain valuable information\nDon't try to use third-party decrypt tools because it will destroy your files.\nDiscount 50% available if you contact us first 72 hours.\n\n---------------------------------------------------------------------------------------------------------------------------\n\n\nTo get this software you need write on our e-mail:\nhelpshadow@india.com\n\nReserve e-mail address to contact us:\nhelpshadow@firemail.cc\n\nYour personal ID:\n[redacted 43 alphanumeric chars]"
],
"refs": [
"https://twitter.com/demonslay335/status/1072907748155842565"
]
},
"uuid": "e37ddc9e-8ceb-4817-a17e-755aa379ed14",
"value": "Djvu"
},
{
"description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuks appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
"meta": {
"ransomnotes-filenames": [
"RyukReadMe.txt"
],
"ransomnotes-refs": [
"https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig3.png",
"https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig4.png"
],
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
]
},
"uuid": "f9464c80-b776-4f37-8682-ffde0cf8f718",
"value": "Ryuk ransomware"
},
{
"description": "In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/"
]
},
"uuid": "09fa0e0a-f0b2-46ea-8477-653e627b1c22",
"value": "BitPaymer"
},
{
"meta": {
"extensions": [
".locked"
],
"ransomnotes-filenames": [
"README-NOW.txt"
],
"ransomnotes-refs": [
"https://www.bleepstatic.com/images/news/u/1100723/Ransomware/LockerGoga-ransom-note.png"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/"
]
},
"uuid": "1e19dae5-80c3-4358-abcd-2bf0ba4c76fe",
"value": "LockerGoga"
},
{
"description": "We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rigs traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.\nThe new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users arent diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-as-a-service-princess-evolution-looking-for-affiliates/"
]
},
"uuid": "53da7991-62b7-4fe2-af02-447a0734f41d",
"value": "Princess Evolution"
}
],
"version": 46
"version": 52
}

12
clusters/rat.json
View File

@ -3298,7 +3298,17 @@
},
"uuid": "ef9f1592-0186-4f5d-a8ea-6c10450d2219",
"value": "BONDUPDATER"
},
{
"description": "Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that \"extensive use of object-oriented and multithreaded programming techniques. \"As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
]
},
"uuid": "428c8288-6f65-453f-bfa2-4b519d08f8e9",
"value": "FlawedGrace"
}
],
"version": 23
"version": 24
}

151
clusters/threat-actor.json
View File

@ -363,7 +363,8 @@
"Luder",
"Nemim",
"Tapaoux",
"Pioneer"
"Pioneer",
"Shadow Crane"
]
},
"related": [
@ -999,12 +1000,14 @@
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.cfr.org/interactive/cyber-operations/apt-10",
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf"
],
"synonyms": [
"APT10",
"APT 10",
"MenuPass",
"Menupass Team",
"happyyongzi",
"POTASSIUM",
"DustStorm",
@ -1560,7 +1563,7 @@
{
"description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889. One of the threat actors responsible for the denial of service attacks against U.S in 20122013. Three individuals associated with the group—believed to be have been working on behalf of Irans Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016. ",
"meta": {
"cfr-suspected-state-sponsor": " Iran (Islamic Republic of)",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"Bank of America",
"US Bancorp",
@ -2665,7 +2668,8 @@
"Operation Troy",
"Operation GhostSecret",
"Operation AppleJeus",
"APT38"
"APT38",
"Stardust Chollima"
]
},
"related": [
@ -2930,7 +2934,8 @@
"Chinastrats",
"Patchwork",
"Monsoon",
"Sarit"
"Sarit",
"Quilted Tiger"
]
},
"related": [
@ -3910,7 +3915,8 @@
"APT-C-00",
"SeaLotus",
"APT-32",
"APT 32"
"APT 32",
"Ocean Buffalo"
]
},
"related": [
@ -4115,12 +4121,14 @@
"refs": [
"https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/",
"https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/",
"https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish"
"https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/"
],
"synonyms": [
"Cobalt group",
"Cobalt gang",
"GOLD KINGSWOOD"
"GOLD KINGSWOOD",
"Cobalt Spider"
]
},
"uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
@ -4242,7 +4250,8 @@
"synonyms": [
"APT26",
"Hippo Team",
"JerseyMikes"
"JerseyMikes",
"Turbine Panda"
]
},
"related": [
@ -4518,7 +4527,8 @@
"https://www.cfr.org/interactive/cyber-operations/kimsuky"
],
"synonyms": [
"Kimsuky"
"Kimsuky",
"Velvet Chollima"
]
},
"uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
@ -4931,7 +4941,8 @@
"https://www.cfr.org/interactive/cyber-operations/muddywater"
],
"synonyms": [
"TEMP.Zagros"
"TEMP.Zagros",
"Static Kitten"
]
},
"related": [
@ -5547,7 +5558,12 @@
"description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/",
"https://mobile.twitter.com/360TIC/status/1083289987339042817",
"https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/"
],
"synonyms": [
"LazyMeerkat"
]
},
"uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9",
@ -6126,7 +6142,116 @@
},
"uuid": "b06c3af1-0243-4428-88da-b3451c345e1e",
"value": "Operation Sharpshooter"
},
{
"description": "TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/",
"https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png"
]
},
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
"value": "TA505"
},
{
"description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
]
},
"uuid": "3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f",
"value": "GRIM SPIDER"
},
{
"description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
]
},
"uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f",
"value": "WIZARD SPIDER"
},
{
"description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malwares capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/"
]
},
"uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b",
"value": "MUMMY SPIDER"
},
{
"description": "Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA (activities of which have been public reported as part of the “Lazarus Group”), because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017. ",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
]
},
"uuid": "d8e1762a-0063-48c2-9ea1-8d176d14b70f",
"value": "STARDUST CHOLLIMA"
},
{
"description": "In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.",
"meta": {
"refs": [
"https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/"
],
"synonyms": [
"Nahr Elbard",
"Nahr el bared"
]
},
"uuid": "7d99d2f7-adf0-44e4-9044-d18ff6842a16",
"value": "Cold River"
},
{
"description": "a relatively new threat actor thats been operating since mid-2016",
"meta": {
"refs": [
"https://reaqta.com/2019/01/silence-group-targeting-russian-banks/"
]
},
"uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726",
"value": "Silence group"
},
{
"description": "APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html"
],
"synonyms": [
"APT 39"
]
},
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
"value": "APT39"
},
{
"description": "FireEye recently looked deeper into the activity discussed in TrendMicros blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.\nThe Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html"
]
},
"uuid": "27c97181-b8e9-43e1-93c0-f953cac45326",
"value": "Siesta"
},
{
"description": "Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign.\nThe group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.",
"meta": {
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group"
]
},
"uuid": "c79dab01-3f9f-491e-8a5f-6423339c9f76",
"value": "Gallmaker"
}
],
"version": 84
"version": 90
}

38
clusters/tool.json
View File

@ -7233,7 +7233,8 @@
"description": "rootkit for the Unified Extensible Firmware Interface (UEFI). Used by APT28. The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/"
"https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
"https://www.bleepingcomputer.com/news/security/lojax-command-and-control-domains-still-active/"
]
},
"uuid": "6d53a74e-c8a5-11e8-a123-332e4eaac9bb",
@ -7508,7 +7509,40 @@
},
"uuid": "0147c0fd-ed74-4d38-a823-130542d894a3",
"value": "OSX.BadWord"
},
{
"description": "The initial Trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell scripts to download additional malware or adware onto the infected system.\nThe primary goal of OSX/Shlayer is to download and install adware onto an infected Mac.\nAlthough \"adware\" may not sound like a big deal, it can be a lot more harmful than the name implies; be sure to watch our aforementioned interview with Amit Serper to learn more about one particular example of malicious Mac adware.\nAt least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of several Mac anti-virus products is installed.",
"meta": {
"refs": [
"https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/"
]
},
"uuid": "6e60cb73-0bcc-45bf-b14f-633aa7ffc8b4",
"value": "OSX/Shlayer"
},
{
"meta": {
"refs": [
"https://www.virusbulletin.com/blog/2019/02/malspam-security-products-miss-banking-and-email-phishing-emotet-and-bushaloader/"
]
},
"uuid": "4473f19e-ad0f-4191-bb7f-a28ef7ae3be3",
"value": "Bushaloader"
},
{
"description": "Backdoor",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/",
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
],
"synonyms": [
"UPPERCUT"
]
},
"uuid": "588b97ff-3434-4aa1-a5fd-815e1bb0178b",
"value": "ANEL"
}
],
"version": 107
"version": 109
}